[PATCH] wifi: mt76: fix deadlock in remain-on-channel

Lorenzo Bianconi lorenzo at kernel.org
Mon Dec 8 06:19:35 PST 2025 

> mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel()
> while already holding dev->mutex. Since mt76_set_channel() also acquires
> dev->mutex, this results in a deadlock.
> 
> Use __mt76_set_channel() instead of mt76_set_channel().
> Add cancel_delayed_work_sync() for mac_work before acquiring the mutex
> in mt76_remain_on_channel() to prevent a secondary deadlock with the
> mac_work workqueue.

I think we need a Fixes tag here.

Regards,
Lorenzo

> 
> Signed-off-by: Chad Monroe <chad at monroe.io>
> ---
>  drivers/net/wireless/mediatek/mt76/channel.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/mediatek/mt76/channel.c b/drivers/net/wireless/mediatek/mt76/channel.c
> index 2b705bdb7993..d9f8529db7ed 100644
> --- a/drivers/net/wireless/mediatek/mt76/channel.c
> +++ b/drivers/net/wireless/mediatek/mt76/channel.c
> @@ -326,7 +326,7 @@ void mt76_roc_complete(struct mt76_phy *phy)
>  		mlink->mvif->roc_phy = NULL;
>  	if (phy->main_chandef.chan &&
>  	    !test_bit(MT76_MCU_RESET, &dev->phy.state))
> -		mt76_set_channel(phy, &phy->main_chandef, false);
> +		__mt76_set_channel(phy, &phy->main_chandef, false);
>  	mt76_put_vif_phy_link(phy, phy->roc_vif, phy->roc_link);
>  	phy->roc_vif = NULL;
>  	phy->roc_link = NULL;
> @@ -370,6 +370,8 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
>  	if (!phy)
>  		return -EINVAL;
>  
> +	cancel_delayed_work_sync(&phy->mac_work);
> +
>  	mutex_lock(&dev->mutex);
>  
>  	if (phy->roc_vif || dev->scan.phy == phy ||
> @@ -388,7 +390,14 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
>  	phy->roc_vif = vif;
>  	phy->roc_link = mlink;
>  	cfg80211_chandef_create(&chandef, chan, NL80211_CHAN_HT20);
> -	mt76_set_channel(phy, &chandef, true);
> +	ret = __mt76_set_channel(phy, &chandef, true);
> +	if (ret) {
> +		mlink->mvif->roc_phy = NULL;
> +		phy->roc_vif = NULL;
> +		phy->roc_link = NULL;
> +		mt76_put_vif_phy_link(phy, vif, mlink);
> +		goto out;
> +	}
>  	ieee80211_ready_on_channel(hw);
>  	ieee80211_queue_delayed_work(phy->hw, &phy->roc_work,
>  				     msecs_to_jiffies(duration));
> -- 
> 2.47.3
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-mediatek/attachments/20251208/d62d50c4/attachment.sig>

More information about the Linux-mediatek mailing list